Azure Application Gateway Concepts

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It provides features like Web Application Firewall (WAF), SSL termination, cookie-based session affinity, and URL-based content routing.

Core Components and Functionality

1. Frontend IP Configuration

This is the IP address (public or private) that Application Gateway listens on for incoming traffic. You can have multiple frontend IP configurations.

2. Listeners

A listener is a logical construct that mirrors a port, protocol (HTTP or HTTPS), hostname, and certificate (for HTTPS) where the gateway accepts traffic. You can configure multiple listeners to route traffic based on different criteria.

3. Request Routing Rules

Request routing rules bind a listener to a backend pool and a backend health probe. They define how traffic arriving at a listener is routed to the backend servers. Rules can be configured for:

Basic Routing: Routes traffic to a specific backend pool.
Path-Based Routing: Routes traffic to different backend pools based on the URL path of the request (e.g., /images/* to one pool, /api/* to another).
Multi-site Hosting: Allows hosting multiple web applications on the same Application Gateway instance by routing traffic based on the hostname in the request.

4. Backend Pools

A backend pool consists of the servers that will receive the traffic directed by Application Gateway. These can be virtual machines, virtual machine scale sets, Azure App Services, or any other internet-bound or private IP address.

5. Backend Health Probes

Application Gateway continuously monitors the health of the backend servers using health probes. If a server fails a probe, Application Gateway stops sending traffic to it until it becomes healthy again. Probes can be configured to use different protocols (HTTP, HTTPS, TCP) and paths.

6. HTTP Settings

HTTP settings define the parameters for the requests that Application Gateway forwards to the backend servers. This includes the backend port, protocol (HTTP/HTTPS), cookie-based affinity, connection draining, and SSL protocol settings.

Key Features

SSL Termination

Application Gateway can decrypt SSL/TLS traffic at the gateway, relieving the backend servers of this computationally intensive task. The traffic between the gateway and the backend can then be sent over HTTP.

Web Application Firewall (WAF)

Application Gateway WAF protects your web applications from common web exploits and vulnerabilities such as SQL injection, cross-site scripting (XSS), and more. It offers managed rule sets and custom rule capabilities.

Cookie-Based Session Affinity

Also known as sticky sessions, this feature ensures that requests from the same client are always sent to the same backend server. This is useful for applications that rely on server-side session state.

URL-Based Content Routing

This feature allows you to route requests to different backend pools based on the URL path. For example, you can route requests for /images to a pool of image servers and requests for /api to a pool of API servers.

Connection Draining

When you update or remove backend servers, connection draining ensures that existing connections to those servers are gracefully completed before they are taken out of service. This prevents abrupt disconnections for users.

Redirection

Application Gateway can redirect HTTP traffic to HTTPS or to a different URL.

Note: Application Gateway operates at Layer 7 (the application layer) of the OSI model, allowing for sophisticated traffic management based on HTTP attributes like URL paths, hostnames, and headers.

When to Use Application Gateway

Load balancing web applications.
SSL termination.
Web Application Firewall (WAF) protection.
Enabling redirection between HTTP and HTTPS.
Routing based on URL paths or hostnames.
Sticky sessions for stateful applications.

Tip: For simple TCP/HTTP load balancing without Layer 7 features, consider using Azure Load Balancer.